Share

Set up SSO with PingFederate

This section explains how to set up your SSO connection using PingFederate as the identity provider, so that users can sign in to Autodesk with their organization’s email address. This connection uses SAML (Security Assertion Markup Language) to allow Autodesk to communicate with PingFederate to authenticate users. To enable this communication, you will need to add metadata from PingFederate to Autodesk and vice versa.

Page Contents:

Begin setup in Autodesk

Initiate SP Connection in PingFederate

Add PingFederate metadata to Autodesk

Add Autodesk metadata to PingFederate

Test your connection

Link verified domains

Begin setup in Autodesk

  1. In Autodesk Account, go to User management > By user or By Group.

  2. Select your team from the drop-down list and click the Team Settings ⚙️ icon in the upper right-hand corner.

  3. Go to the section Enterprise access and select Manage SSO.

  4. Select Manage SSO tab > Set up connection.

  5. You will be asked to name your connection. Enter a name that will help you easily identify the connection between your identity provider and Autodesk. The name you choose can also help differentiate between connections. The name you choose must be unique and not in use by another team or organization.

  6. Select your identity provider from the drop-down menu.

Initiate SP Connection in PingFederate

To enable single sign-on you must Create an IdP to SP SAML bridge.

The instructions in this section match the user interface as of January 2018. Consult the documentation on Adding and Configuring a New SAML APPLICATION for the most up-to-date documentation provided by Ping Identity. (Need to check this link, not working)

https://docs.pingidentity.com/bundle/pingfederate-93/page/iou1564002997990.html (To check whether this link can be added)

The purpose of this document is to assist admins with configuring Autodesk SSO with PingFederate (as the Identity Provider) version 8.3.xx. There are several components (data stores, certificates, protocols, etc.) and methods (policies, assertions, workflows, etc.) to creating a SAML 2.0 connection and this guide should help the Administrator with integrating SSO into their environment.

Log in to your PingFederate Administrative Console.

Continue on to Sections A through C and follow the instructions in Add Autodesk metadata to PingFederate to finalize the connection.

Add PingFederate metadata to Autodesk

This section covers how to get metadata from PingFederate that is needed to set up a SAML connection with Autodesk.

  1. Choose Manual setup to copy and paste the information manually. PingFederate does not allow to download the metadata file automatically.

  2. Go to Server Configuration --> Server Settings.

  3. Select Federation Info tab to find the Base URL and Entity ID. Make a note of these values.

    Note:

    Combine the Base URL with login information to make it a Login URL.

  1. Go to IDP Configuration--> Protocol Endpoints.

    Note:

    The Protocol Endpoints displays the Server endpoints for the base URLs used to communicate with PingFederate. In most cases, POST is used for the SSO.

  2. Add the POST endpoint to the end of the base URL you copied earlier to create Login URL.

  3. Go to Server Configuration --> Certificate Management section. Click Signing & Decryption Keys & Certificate.

    Note:

    The Status and the expiry details of the certificate are displayed.

  4. Select whether you want to export the certificate only or the certificate and private key.

  5. Click Next.

  6. Click Export to downlaod the certificate.

Return to SSO connection setup in Autodesk Account to enter the information you copied from PingFederate and paste into Autodesk as shown in the table.

PingFederate Autodesk
Entity ID Entity ID
Login URL Sign-on URL*
Signing Certificate Verification Certificate
  1. Confirm that the fields are filled in and click Next in Autodesk Account.
Note:

*Binding refers to the mechanism used to transmit authentication data between the identity provider and service provider (Autodesk). There are two binding methods: Post and Redirect.

The Post method is recommended, and is selected by default. This method transmits SAML messages within an HTML form using base64-encoded content. Because messages are encoded, it is more secure than the Redirect method, and is recommended as a security best practice.

The Redirect method transmits SAML messages encoded as HTTP URL parameters. The response is part of the URL and may be captured and exposed in various logs, making this method less secure than the Post method.

Add Autodesk metadata to PingFederate

This step allows your identity provider to connect back to Autodesk for user authentication. You can select either:

  • Automatic setup to download the Autodesk metadata file and upload it to PingFederate (Recommended)

  • Manual setup to copy and paste the information manually.

For automatic setup:

  • Select Download to download the Autodesk metadata XML file. You will upload this file to PingFederate in the next step.

For manual setup:

1.Copy the following information. You will enter this info into PingFederate in the next step.

  • Entity ID

  • Assertion Customer Service (ACS) URL

  • Verification certificate

  1. Return to PingFederate.

Login to the PingFederate administrative portal. Go to IDP Configuration --> SP Connections.

Create SP Connection

  1. Click Create New.

    Verify that the 'BROWSER SSO PROFILES' box is checked. Click Next.

  2. Click Next.

    Verify that the 'BROWSER SSO' box is checked, Click Next.

  3. Select 'File'and Click Choose File to uplaod the metadata file.

  4. Click Next. The fields Entity Id and Metadata Signature Status will be automatically filled in.

  5. Click Next.

    General Info will display, showing your unique connection identifier (Connection ID), Connection Name, and Base URL. You can edit the connection name as needed.

  6. Click Next to configure Browser SSO.

1. Configure Browser SSO


  1. Click 'Configure Browser SSO' button.

  2. Check the box next to 'SP-INITIATED SSO' and click Next.

  3. Set the Assertion Lifetime minutes. Click Next.

2. Assertion Creation


  1. Click 'Configure Assertion Creation'.

  2. Select 'STANDARD' and click Next.

  3. Extend the Contract with attributes as shown and click Next.

Note:

These attribute labels are strictly case-sensitive and if mapped differently or hold invalid characters, the authentication will fail.

3. Map Adapter Instance


  1. Click 'Map New Adapter Instance' button.

  2. Select the Adapter Instance created in Section C of this guide, then click Next.

  3. Select myidp as shown and click Next.

  4. Map attributes as shown in the table below, then click Next.

Application Attributes Values
firstName First Name
lastName Last Name
email Email
objectGUID objectGUID

  1. Click Next.

  2. Verify the configuration settings and click Done

    You will see New Adapter Instance screen. Click Next.

  3. Verify the Configuration and Click Done.

    You will see Assertion Creation screen. Click Done and save the settings.

4. Protocol Settings


  1. Click 'Configure Protocol Settings' button.

  2. Verify the default settings as in the above screen and click Next.

  3. Select POST and REDIRECT check boxes then click Next.

    Note:

    ARTIFACT and SOAP are not selected at any point of time.

  4. Select ALWAYS SIGN THE SAML ASSERTION checkbox and click Next.

  5. Scroll down and Click Next.

  6. Verify the configuration and click Done to go back to the previous screen.

5. Configure Credentials


  1. Click Next to select Configure Credentials.

  2. Select the Signing Certificate and Signing Algorithm from the predefined list by PingFederate.

  3. Click Next to verify the Signature Settings.

  4. Click Done.

  5. Click Next to save the SP Connection.

    Note:

    The Summary of the entire Connection,Browser SSO, Assertion Creation, Protocol Settings and Credentials are displayed as below.



  6. Activate the connection when ready and Click Save. The list of SP Connections are displayed as below. It can be managed as required.

  7. After adding Autodesk metadata to PingFederate and mapping attributes, return to SSO connection setup in Autodesk Account to test the connection.

Test your connection

Note:

Before testing the connection, make sure you assign yourself access to the Autodesk SSO application that you created with your identity provider.

  1. Click Test connection to be redirected to your organization’s SSO sign-in page. (If you are not redirected, see Troubleshooting).

  1. Sign in to make sure that the connection between your identity provider and Autodesk is set up correctly. If the test is successful, you will see the message “Connection Test Result: Success” and a list of properties.

  2. Confirm that the attributes have mapped correctly by comparing the Property and Value columns. The property “first name” should appear next to the user’s first name, “last name” should appear next to the user’s last name, and so on. If you need to make changes, return to the previous step (Mapping attributes) and re-map the attributes.

  3. Once you have confirmed that attributes are mapped correctly, return to the Autodesk Account tab and click Next.

  1. You will see a list of your verified domains. Select one or more verified domains to link to your connection.

  1. Click Save connection to complete the setup.
Note:

If a domain is not verified, you can still save the connection and link it later in Manage SSO.

If you have not finished verifying domains, go to Add and verify domains to complete the process. Once you have finished linking domains, return to Manage SSO to test and turn on SSO.

Previous: Set up your connection

Next: Test and turn on SSO

Was this helpful?